In R. v. Orlandis-Habsburgo the Ontario Court of Appeal revisited the Supreme Court of Canada decisions in R. v. Spencer,R. v. Gomboc, and R. v. Plant. The case involved the routine sharing of energy consumption data between an electricity provider and the police. Horizon Utilities Corp. (Horizon) had a practice of regularly reviewing its customers’ energy consumption records, including monthly consumption figures as well as patterns of consumption throughout the day. When Horizon encountered data suggestive of marijuana grow operations, they would send it to the police. This is what occurred in Orlandis-Habsburgo. The police responded by requesting and obtaining additional information from Horizon. They then conducted observations of the accused’s premises. The police used a combination of data provided by Horizon and their own observation data to obtain a search warrant which ultimately led to charges against the accused, who were convicted at trial.

The defendants appealed their convictions, arguing that their rights under s. 8 of the Canadian Charter of Rights and Freedoms had been infringed when the police obtained data from Horizon without a warrant. The trial judge had dismissed these arguments, finding that the data were not part of the “biographical core” of the defendants’ personal information, and that they therefore had no reasonable expectation of privacy in them. Further, he ruled that given the constellation of applicable laws and regulations, as well as Horizon’s terms of service, it was reasonable for Horizon to share the data with the police. The Court of Appeal disagreed, finding that the appellants’ Charter rights had been infringed. The decision is interesting because of its careful reading of the rather problematic decision of the Supreme Court of Canada in Gomboc. Nevertheless, although the decision creates important space for privacy rights in the face of ubiquitous data collection and close collaboration between utility companies and the police, the Court of Appeal’s approach is highly contextual and fact-dependent.

A crucial fact in this case is that the police and Horizon had an ongoing relationship when it came to the sharing of customer data. Horizon regularly provided data to the police, sometimes on its own initiative and sometimes at the request of the police. It provided data about suspect residences as well as data about other customers for comparison purposes. Writing for the unanimous court, Justice Doherty noted that until the proceedings in this case commenced, Horizon had never refused a request from the police for information. He found that this established that the police and Horizon were working in tandem; this was important, since it distinguished the situation from one where a company or whistleblower took specific data to the police with concerns that it revealed a crime had been committed.

The Court began its Charter analysis by considering whether the appellants had a reasonable expectation of privacy in the energy consumption data. The earlier Supreme Court of Canada decisions in Plant and Gomboc both dealt with data obtained by police from utility companies without a warrant. In Plant, the Court had found that the data revealed almost nothing about the lifestyle or activities of the accused, leading to the conclusion that there was no reasonable expectation of privacy. In Gomboc, the Court was divided and issued three separate opinions. This led to some dispute as to whether there was a reasonable expectation of privacy in the data. In Orlandis-Habsburgo, the Crown argued that seven out of nine judges in Gomboc had concluded that there was no reasonable expectation of privacy in electricity consumption data. By contrast, the appellants argued that five of the nine judges in Gomboc had found that there was a reasonable expectation of privacy in such data. The trial judge had sided with the Crown, but the Court of Appeal found otherwise. Justice Doherty noted that all of the judges in Gomboc considered the same factors in assessing the reasonable expectation of privacy:“the nature of the information obtained by the police, the place from which the information was obtained, and the relationship between the customer/accused and the service provider.” (at para 58) He found that seven of the judges in Gomboc had decided the reasonable expectation of privacy issue on the basis of the relationship between the accused and the utility company. At the same time, five of the justices had found that the data was of a kind that had the potential to reveal personal activities taking place in the home. He noted that: “In coming to that conclusion, the five judges looked beyond the data itself to the reasonable inferences available from the data and what those inferences could say about activities within the home.” (at para 66) He noted that this was the approach taken by the unanimous Supreme Court in R. v. Spencer, a decision handed down after the trial judge had reached his decision in Orlandis-Habsburgo. He also observed that the relationship between the customer and the service provider in Orlandis-Habsburgo was different in significant respects from that in Gomboc, allowing the two cases to be distinguished. In Gomboc, a provincial regulation provided that information from utility companies could be shared with the police unless customers explicitly requested to opt-out of such information sharing. No such regulation existed in this case.

Justice Doherty adopted the four criteria set out in Spencer for assessing the reasonable expectation of privacy. There are: “(1) the subject matter of the alleged search; (2) the claimant's interest in the subject matter; (3) the claimant's subjective expectation of privacy in the subject matter; and (4) whether this subjective expectation of privacy was objectively reasonable, having regard to the totality of the circumstances.” (Spencer, at para 18) On the issue of the subject matter of the search, the Court found that the energy consumption data included “both the raw data and the inferences that can be drawn from that data about the activity in the residence.” (at para 75) Because the data and inferences were about a person’s home, the Court found that this factor favoured a finding of a reasonable expectation of privacy. With respect to the interest of the appellants in the data, the Court found that they had no exclusive rights to these data – the energy company had a right to use the data for a variety of internal purposes. The Court described these data as being “subject to a complicated and interlocking myriad of contractual, legislative and regulatory provisions” (at para 80), which had the effect of significantly qualifying (but not negating) any expectation of privacy. Justice Doherty found that the appellants had a subjective expectation of privacy with respect to any activities carried out in their home, and he also found that this expectation of privacy was objectively reasonable. In this respect, he noted that although there were different documents in place that related to the extent to which Horizon could share data with the police, “one must bear in mind that none are the product of a negotiated bargain between Horizon and its customers.” (at para 84) The field of energy provision is highly regulated, and the court noted that “[t]he provisions in the documents to which the customers are a party, permitting Horizon to disclose data to the police, cannot be viewed as a ‘consent’ by the customer, amounting to a waiver of any s. 8 claim the customer might have in the information.” (at para 84) That being said, the Court also cautioned against taking any of the terms of the documents to mean that there was a reasonable expectation of privacy. Justice Doherty noted that “The ultimate question is not the scope of disclosure of personal information contemplated by the terms of the documents, but rather what the community should legitimately expect in terms of personal privacy in the circumstances.” (at para 85) He therefore described the terms of these documents as relevant, but not determinative.

The documents at issue included terms imposed on the utility by the Ontario Energy Board. Under these terms, Horizon is barred from using customer information for purposes other than those for which it was obtained without the customer’s consent. While there is an exception to the consent requirement where the information is “required to be disclosed. . . for law enforcement purposes”, Justice Doherty noted that in this case the police had, at most, requested disclosure – at no point was the information required to be disclosed. He found that the terms of the licence distinguished this case from Gomboc and supported a finding of a reasonable expectation of privacy in the data.

The Court also looked at the Distribution System Code (DSC) which permits disclosure to police of “possible unauthorized energy use”. However, Justice Doherty noted that this term was not defined, and no information was provided in the document as to when it was appropriate to contact police. He found this provision unhelpful in assessing the reasonable expectation of privacy. The Court found the Conditions of Service to be similarly unhelpful. By contrast, the privacy policy provided that the company would protect its customers’ personal information, and explicitly set out the circumstances in which it might disclose information to third parties. One of these was a provision for disclosure “to personas as permitted or required by Applicable Law”.Those applicable laws included the provincial Municipal Freedom of Information and Protection of Privacy Act(MFIPPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) Justice Doherty looked to the Supreme Court of Canada’s interpretation of PIPEDA in Spencer. He found that the exception in PIPEDA that permitted disclosure of information to law enforcement could only occur with “lawful authority” and that “[t]he informal information-sharing arrangement between Horizon and the police described in the evidence is inconsistent with both the terms of Horizon’s licence and the disclosure provisions in PIPEDA.” (at para 104) He also found that it did not amount to “lawful authority” for a request for information.

The respondents argued that s. 32(g) of MFIPPA provided a basis for disclosure. This provision permits disclosures to law enforcement agencies without referencing any need for “lawful authority”.However, Justice Doherty noted that, like PIPEDA, MFIPPA has as its primary goal the protection of personal information. He stated:“That purpose cannot be entirely negated by an overly broad and literal reading of the provisions that create exceptions to the confidentiality requirement.” (at para 106) He noted that while s. 32(g) provides an entity with discretion to release information in appropriate circumstances, the exercise of this discretion requires “an independent and informed judgment” (at para 107) in relation to a specific request for information. The provision could not support the kind of informal, ongoing data-sharing relationship that existed between Horizon and the police. Similarly, the court found that the disclosure could not be justified under the exception in s. 7(3)(d)(i) of PIPEDA that allowed a company to disclose information where it had “reasonable grounds to believe that the information relates to . . . a contravention of the laws of Canada”. While Justice Doherty conceded that such disclosures might be possible, in the circumstances, Horizon “did not make any independent decision to disclose information based on its conclusion that reasonable grounds existed to believe that the appellants were engaged in criminal activity.” (at para 110) It simply passed along data that it thought might be of interest to the police.

Although the Court of Appeal concluded that there was a reasonable expectation of privacy in the energy consumption data, and that the search was unreasonable, it ultimately found that the admission of the evidence would not bring the administration of justice into disrepute. As a result, the convictions were upheld.The court cited, in support of its conclusion that the trial judge had reached his decision prior to the Supreme Court of Canada’s decision in Spencer, and that the error in the judge’s approach was only evident after reading Spencer.

Skirmishes over right to freely access and use “publicly available” data hosted by internet platform companies have led to an interesting decision from the U.S. District Court from the Northern District of California. The decision is on a motion for an interlocutory injunction, so it does not decide the merits of the competing claims. Nevertheless, it provides insight into a set of issues that are likely only to increase in importance as these rich troves of data are mined by competitors, opportunistic businesses, big data giants, researchers and civil society actors.

The parties in hiQ Labs Inc. v LinkedIn Corp. are companies whose business models are based upon career-related personal information provided by professionals. LinkedIn offers a professional networking platform to over 500 million users, and it is easily the leading company in its space. hiQ, for its part, is a data analytics company with two main products aimed at enterprises. The first is “Keeper”, a product which informs corporations about which of their employees are at greatest risk of being poached by other companies. The second is “Skill Mapper” which provides businesses with summaries of the skills of their employees. For both of its products hiQ relies on data that it scrapes from LinkedIn’s publicly accessible web pages.

Data featured on LinkedIn’s site are provided by users who create accounts and populate their profiles with a broad range of information about their background and skills. LinkedIn members have some control over the extent to which their information will be shared by others. They can choose to limit access to their profile information to only their close contacts or to an expanded list of contacts. Alternatively, they can provide access to all other members of LinkedIn. They also have the option to make their profiles entirely public. These public profiles are searchable by search engines such as Google. It is the data in the fully public profiles that is scraped and used by hiQ.

hiQ is not the only company that scrapes data from LinkedIn as part of an independent business model. In fact, LinkedIn has only recently attempted to take legal action against a large number of users of its data. hiQ was just one of many companies that received a cease and desist letter from LinkedIn. Because being cut off from the LinkedIn data would effectively decimate its business, hiQ responded by seeking a declaration from the California court that its activities were legal. The recent decision from the court is in relation to hiQ’s request for an interlocutory injunction that will allow it to continue to access the LinkedIn data pending resolution of the substantive legal issues raised by both sides.

hiQ argued that in moving against its data scraping activities, LinkedIn engaged in unfair business practices, and violated its free speech rights under the California constitution. LinkedIn, for its part, argued that hiQ’s data scraping activities violated the Computer Fraud and Abuse Act (CFAA), as well as the digital locks provisions Digital Millennium Copyright Act (DMCA) (although these latter claims do not feature in the decision on the interlocutory injunction).

Like other platform companies, access to and use of LinkedIn’s site is governed by website Terms of Service (TOS). These TOS prohibit data scraping. When LinkedIn demanded that hiQ cease scraping data from its site, it also implemented technological protection measures to prevent access by hiQ to its data. LinkedIn’s claims under the CFAA and the DMCA are based largely on the circumvention of these technological barriers by hiQ.

The court ultimately granted the injunction barring LinkedIn from limiting hiQ’s access to its publicly available data pending the resolution of the issues in the case. In doing so, it expressed its doubts that the CFAA applied to hiQ’s activity, noting that if it did, it would “profoundly impact open access to the Internet.” It also found that attempts by LinkedIn to block hiQ’s access might be in breach of state law as anti-competitive behavior.In reaching its decision, the court had some interesting things to say about the importance of access to publicly accessible data, and the privacy rights of those who provided the data. These issues are highlighted in the discussion below.

In deciding whether to grant an interlocutory injunction, a court must assess both the possibility of irreparable harm and the balance of convenience as between the parties. In this case, the court found that denying hiQ access to LinkedIn data would essentially put it out of business – causing it irreparable harm. LinkedIn argued that it was imperative that it be allowed to protect its data because of its users’ privacy interests. While hiQ only scraped data from public profiles, LinkedIn argued that even those users with public profiles had privacy interests. I noted that 50 million of its users with public profiles had selected its “Do Not Broadcast” feature which prevents profile updates from being broadcast to a user’s connections. LinkedIn described this as a privacy feature that would essentially be circumvented by routine data scraping. The court was not convinced. In the first place, it found that there might be many reasons besides privacy concerns that motivated users to choose “do not broadcast”. It gave as an example the concern by users that their connections not be spammed by endless notifications. The Court also noted that LinkedIn had its own service for professional recruiters that kept them apprised of updates even from users who had implemented “Do Not Broadcast”. The court dismissed arguments by LinkedIn that this was different because users had consented to such sharing in their privacy policy. The court stated: “It is unlikely, however, that most users’ actual privacy expectations are shaped by the fine print of a privacy policy buried in the User Agreement that likely few, if any, users have actually read.” [Emphasis in original] This is interesting, because the court discounts the relevance of a privacy policy in informing users’ expectations of privacy. Essentially, the court finds that users who make their profiles public have no real expectation of privacy in the information. LinkedIn could therefore not rely on its users’ privacy interests to justify its actions.

In assessing whether the parties raised serious questions going to the merits of the case, the court considered LinkedIn’s arguments about the CFAA. The CFAA essentially criminalizes intentional access to a computer without authorization, or in a way that exceeds the authorization provided, with the result that information is obtained. The question, therefore, was whether hiQ’s continued access to the LinkedIn site after LinkedIn expressly revoked any permission and tried to bar its access, was a violation of the CFAA. The court dismissed the cases cited by LinkedIn in support of its position, noting that these cases involved unauthorized access to password protected sites as opposed to accessing publicly available information.

The court observed that the CFAA was enacted largely to deal with the problem of computer hacking. It noted that if the application of the law was extended to publicly accessible websites it would greatly expand the scope of the legislation with serious consequences. The court noted that this would mean that “merely viewing a website in contravention of a unilateral directive from a private company would be a crime.” [Emphasis in original] It went on to note that “The potential for such exercise of power over access to publicly viewable information by a private entity weaponized by the potential of criminal sanctions is deeply concerning.”The court placed great emphasis on the importance of an open internet. It noted that “LinkedIn, here, essentially seeks to prohibit hiQ from viewing a sign publicly visible to all”.It clearly preferred an interpretation of the CFAA that would be limited to unauthorized access to a computer system through some form of “authentication gateway”.

The court also found that hiQ raised serious questions that LinkedIn’s behavior might fall afoul of competition laws in California. It noted that LinkedIn is in a dominant position in the field of professional networking, and that it might be leveraging its position to get a “competitively unjustified advantage in a different market.” It also accepted that it was possible that LinkedIn was denying its competitors access to an essential facility that it controls.

The court was not convinced by hiQ’s arguments that the technological barriers erected by LinkedIn violated the free speech guarantees in the California Constitution. Nevertheless, it found that on balance the public interest favoured the granting of the injunction to hiQ pending the outcome of litigation on the merits.

This dispute is extremely interesting and worth following. There are a growing number of platforms that host vast stores of publicly accessible data, and these data are often relied upon by upstart businesses (as well as established big data companies, researchers, and civil society) for a broad range of purposes. The extent to which a platform company can control its publicly accessible data is an important one, and one which, as the California court points out, will have important public policy ramifications. The related privacy issues – where the data is also personal information – are also important and interesting. These latter issues may be treated differently in different jurisdictions depending upon the applicable data protection laws.

The Supreme Court of Canada has just granted leave to appeal a decision of the British Columbia Court of Appeal in a case involving evidentiary issues in the province’s law suit to recover health care costs from the tobacco industry. The law suit was brought under the Tobacco Damages and Health Care Costs Recovery Act – a law passed specifically for the purpose of recovering health care costs from the industry. The case raises interesting issues regarding the balance between privacy rights and fairness in litigation; it also touches on issues or re-identification risk in aggregate health care data.

Under the B.C. statute, the province has two options for recovering health care costs. It can recover actual costs for particular identified individuals, or it can recover costs on an aggregate basis “for a population of insured persons as a result of exposure to a type of tobacco product.” (s. 2(1)) The province chose the second option. Under s. 2(5) of the Act, if this route is chosen, the province is not required to identify specific individuals or to establish tobacco-related illnesses with respect to those individuals. Further, the health records of specific individuals need not be provided as part of the litigation. However, if aggregate data is relied upon, the court retains the right to “order discovery of a statistically meaningful sample” of the records, and can issue “directions concerning the nature, level of detail and type of information to be disclosed.” The court must nevertheless ensure that the identities of the specific individuals to whom the data pertain are not disclosed.

The province generated aggregate statistical data regarding costs from its databases of health care services provided to insured persons, and indicated its intention to rely upon this data to prove its case. The defendant tobacco companies sought access to the data relied upon by the province. The province declined to provide the data directly. Instead it arranged for a limited form of access through third party intermediaries, which included Statistics Canada employees. Although some of the defendants accepted this approach, Philip Morris International (PMI) did not. It argued that it was entitled to access the data itself in order to assess the reliability and accuracy of the province’s analyses. Both the court at first instance and the B.C. Court of Appeal ultimately sided with PMI.

The B.C. Information and Privacy Commissioner, who intervened in the appeal before the B.C. Court, argued that “the interpretation of a statutory provision aimed at protecting personal privacy must be approached in light of the importance of protection of privacy as a fundamental value in Canadian society” (at para 25 of the BCCA decision). He maintained that the court should rely upon the Freedom of Information and Protection of Privacy Act (FIPPA) in interpreting the Tobacco Act, and that FIPPA required the terms “personal information” and “record” to be given a broad interpretation. The Court of Appeal summarily rejected this argument, stating that “FIPPA does not limit the information available by law to a party to a proceeding (s. 3(2)) and has no role in the interpretation of s. 2(5)(b).” (at para 25)

The Court of Appeal noted that the Tobacco Act provided two routes for the province to establish damages, one that required consideration of individual health records and one that did not. It chose the second route, which means that in general terms, individual health records are not compellable. The province argued that their decision to choose this route was motivated by a desire to protect the privacy of affected individuals. The Information and Privacy Commissioner argued that a requirement to disclose the aggregate data “has privacy implications for millions of insured persons who are not involved as litigants in the underlying action.” (at para 28) The Court of Appeal noted, however, that the legislation established the ‘playing field’ on which the litigation would take place and that there was no indication that this playing field was not intended to be even. It observed that the legislation does not make privacy a “paramount concern” (at para 31) since it did provide the province with the option to choose a route that would involve consideration of thousands of specific records. Had this route been chosen, the Court noted, “all of the individualized persons’ health care records would be subject to discovery and disclosure notwithstanding any privacy concerns that such disclosure might raise.” (at para 31)

With an aggregate action, the focus is not on individualized health care records. Section 2(5)(b) protects the privacy of individuals if such a route is chosen, and prevents “the aggregate action from becoming bogged down with “individual forms of discovery” in which the defendants could demand voluminous records of thousands or millions of people.” (at para 34) However, the Court noted that in following this route, the province will rely upon the data generated from its databases to establish both causation and damage. This makes the databases highly relevant to the litigation. The Court noted that s. 2(5)(b) “is not intended to block the discovery of the cumulative data contained in the databases, which data is essential to prove causation and damages.” (at para 35)

The Court ruled that the anonymized data on which the province would base its analyses would pose “no realistic threat to personal privacy.” (at para 36) Further, the defendants would be bound not to disclose the information provided to them as part of the litigation-related implied undertaking. The Court also observed that the identity of the specific individuals would be of no interest to the defendants, making it highly unlikely any attempts at re-identification would be made.

The Court of Appeal was particularly concerned about the unfairness that might result if “The only data available to the defendants would be the data the Province offers up on restrictive terms, or the data the Province’s testifying experts eventually choose to rely on in their reports.” (at para 37) It found that fairness required that the databases be produced.

It should be noted that in reaching its decision, the B.C. Court of Appeal declined to follow a judgment from the New Brunswick Supreme Court in a very similar case under nearly identical legislation. In Her Majesty the Queen in Right of the Province of New Brunswick v. Rothmans Inc., the judge had dismissed an application by the defendant tobacco companies for the production of anonymized health care data in the same circumstances. The judge in that case had access to the decision of the B.C. Supreme Court which had ordered production of the databases, but had declined to follow that decision on the basis that the anonymization of the data would not be sufficient to protect privacy, and that the database was “a document containing information that relates to the provision of health care benefits for “particular individuals””. (BCCA decision at para 20) In declining to follow the New Brunswick decision, the B.C. Court of Appeal observed that the New Brunswick judge had relied entirely on the privacy provisions and “did not attempt to read the provisions in the New Brunswick Act as a harmonious whole.” (at para 39) The New Brunswick Court of Appeal declined leave to appeal. With two conflicting decisions from two different provinces, the matter is now heading to the Supreme Court of Canada.

Toronto Star journalist Theresa Boyle has just won an important victory for access to information rights and government transparency – one that is likely to be challenged before the Ontario Court of Appeal. On June 30, 2017, three justices of the Ontario Divisional Court unanimously upheld an adjudicator’s order that the Ministry of Health and Long-Term Care disclose the names, annual billing amounts and fields of medical specialization of the 100 top-billing physicians in Ontario. The application for judicial review of the order was brought by the Ontario Medical Association, along with many of the doctors on the disputed list (the Applicants).

The amount that the Ontario Health Insurance Program (OHIP) pays physicians for services rendered is government information. Under the Freedom of Information and Protection of Privacy Act (FOIPPA), the public has a right of access to government information – subject to specific exceptions that serve competing issues of public interest. One of these is privacy – a government institution can refuse to disclose information if it would reveal personal information. The Ministry had been willing to disclose the top 100 amounts billed to OHIP, but it refused to disclose the names of the doctors or some of the areas of specialization (which might lead to their identification) on the basis that this was the physicians’ personal information. The Adjudicator disagreed and found that the billing information, including the doctors’ names, was not personal information. Instead, it identified the physicians in their professional capacity. FOIPPA excludes this sort of information from the definition of personal information.

The Applicants accepted that the physicians were named in the billing records in their professional capacity. However, they argued that when those names were associated with the gross amounts, this revealed “other personal information”.In other words, they argued that the raw billing information did not reflect the business overhead expenses that physicians had to pay from their earnings. As a result, this information, if released, would be misinterpreted by the public as information about their net incomes. They argued that this made converted it into “other personal information relating to the individual” (s. 2(1)(h)). How much doctors bill OHIP should be public information. The idea that the possibility that such information might be misinterpreted could be a justification for refusal to disclose it is paternalistic. It also has the potential to stifle access to information. The argument deserved the swift rejection it received from the court.

The Applicants also argued that the adjudicator erred by not following earlier decisions of the Office of the Information and Privacy Commissioner (OIPC) that had found that the gross billing amounts associated with physician names constituted personal information. Adjudicator John Higgins ruled that “Payments that are subject to deductions for business expenses are clearly business information.” (at para 18) The Court observed that the adjudicator was not bound to follow earlier OIPC decisions. Further, the issue of consistency could be looked at in two ways. As the adjudicator himself had noted, the OIPC had regularly treated information about the income of non-medical professionals as non-personal information subject to disclosure under the FOIPPA; but for some reasons had treated physician-related information differently. Thus, while one could argue that the adjudicator’s decision was inconsistent with earlier decisions about physician billing information, it was entirely consistent with decisions about monies paid by government to other professionals. The Court found no fault with the adjudicator’s approach.

The Applicants had also argued that Ms Boyle “had failed to establish a pressing need for the information or how providing it to her would advance the objective of transparency in government.” (para 31). The court gave this argument the treatment it deserved – they smacked it down. Justice Nordheimer observed that applicants under the FOIPPA are not required to provide reasons why they seek information. Rather, the legislation requires that information of this kind “is to be provided unless a privacy exception is demonstrated.” (at para 32) Justice Nordheimer went on to note that under access to information legislation, “the public is entitled to information in the possession of their governments so that the public may, among other things, hold their governments accountable.” He stated that “the proper question to be asked in this context, therefore, is not “why do you need it?” but rather is “why should you not have it.”” (at para 34).

This decision of the Court is to be applauded for making such short work of arguments that contained little of the public interest and a great deal of private interest. Transparency within a publicly-funded health care system is essential to accountability. Kudos to Theresa Boyle and the Toronto Star for pushing this matter forward. The legal costs of $50,000 awarded to them make it clear that transparency and accountability often do not come cheaply or without significant effort. And those costs continue to mount as the issues must now be hammered out again before the Ontario Court of Appeal.

Bill C-58, the government’s response to years of calls for reform of Canada’s badly outdated Access to Information Act has been criticized for falling far short of what is needed and from what was promised during the last election campaign. I share this concern. However, this blog post focuses on a somewhat different issue raised by Bill C-58 – the new relationship it will create around privacy as between the Offices of the Information Commissioner and the Privacy Commissioner of Canada.

While Canadian provinces combine access to information and the protection of personal information in the hands of government under a single statute and a single commissioner, the federal government has kept these functions separate. As a result, there is a federal Information Commissioner charged with administering the Access to Information Act and a federal Privacy Commissioner charged with administering the Privacy Act.In 2001, the Privacy Commissioner was also given the task of overseeing Canada’s private sector data protection statute, the Personal Information Protection and Electronic Documents Act(PIPEDA). Certainly at the federal level it makes sense to separate the two regimes. While there is a close relationship between access and privacy (citizens have a right of access to their personal information in the hands of government, for example; and access rights are limited by the protection of the personal information of third parties), access to information and the protection of privacy have important – and sometimes conflicting – differences in their overall objectives. The reality is, as well, that both bring with them substantial and growing workloads, particularly at the federal level. Just as the role of the Privacy Commissioner has expanded with the addition of new responsibilities under PIPEDA, with the rapid advance of information technologies, and with new challenges at in relation to the actions of law enforcement and national security officials, so too has the Information Commissioner’s role been impacted by technology, and by the growing movement towards open government and open data.

In spite of these different spheres of activity, there remain points of intersection between access and privacy. These points of intersection are significant enough that changes to the role of one Commissioner may have implications for the other. For example, a government institution under the ATIA can refuse to disclose records if doing so would reveal third party personal information. The Information Commissioner, fielding a complaint about such a refusal, will consider whether the information at issue is personal information and whether it should be disclosed. The federal Privacy Commissioner, dealing with complaints regarding the mishandling of personal information, must also determine what is or is not personal information.

This overlap is poised to be affected by proposed changes to the ATIA. First, Bill C-58 will make the definition of “personal information” in the ATIA match that in the Privacy Act. Second – and significantly – the Bill will give the Information Commissioner order-making powers. This means that the Information Commissioner can rule on whether information in the hands of a government institution is or is not personal information. The decision will be binding and enforceable if it is not challenged. The Privacy Commissioner currently does not have order-making powers (these are on the wish-list for Privacy Act reform). Ironically, then, this means that the Information Commissioner will be in a position to make binding orders regarding what constitutes personal information in the hands of government whereas the Privacy Commissioner cannot. Even if the Privacy Commissioner eventually gets such powers, there will still be the potential for conflicting decisions/interpretations about how the definition of personal information should be applied to particular types of information.

No doubt in recognition of the potential for conflict in the short and longer term, Bill C-58 provides for the Information Commissioner to consult with the Privacy Commissioner. The proposed new section 36.2 reads:

36.‍2 If the Information Commissioner intends to make an order requiring the head of a government institution to disclose a record or a part of a record that the head of the institution refuses to disclose under subsection 19(1), the Information Commissioner may consult the Privacy Commissioner and may, in the course of the consultation, disclose to him or her personal information. [my emphasis]

In theory then, the Information Commissioner should touch base with the Privacy Commissioner before making orders regarding what is or is not personal information, or perhaps even whether certain personal information is subject to disclosure. It is worth noting, however, that the new provision uses the verb “may”, rather than “must”. Neither consultation nor consensus is mandatory.

Bill C-58 anticipates potential problems. A revised section 37(2) requires the Information Commissioner to give notice to the Privacy Commissioner before any order is made regarding the disclosure of personal information. Section 41(4) then provides:

41(4) If neither the person who made the complaint nor the head of the institution makes an application under this section within the period for doing so, the Privacy Commissioner, if he or she receives a report under subsection 37(2), may, within 10 business days after the expiry of the period referred to in subsection (1), apply to the Court for a review of any matter in relation to the disclosure of a record that might contain personal information and that is the subject of the complaint in respect of which the report is made.

Thus, if the Privacy Commissioner disagrees with a decision of the Information Commissioner regarding what constitutes personal information or whether it should be released, he can apply to a court to have the dispute resolved before a final order is made by the Information Commissioner. Note that this can happen even if the applicant and the government institution are satisfied with the Commissioner’s proposed resolution.

It will be interesting to see whether the Privacy Commissioner will get order-making powers if and when the Privacy Act is reformed. This seems likely. What will be even more interesting will be whether any decision by the Privacy Commissioner about what constitutes “personal information” will similarly be open to challenge by the Information Commissioner, with the outcome to be settled by the Federal Court. This too seems likely. In the provinces, decisions about personal information for access and privacy purposes are made by a single Commissioner. The best way to achieve consensus as to the meaning of “personal information” at the federal level with two different Commissioners with different mandates, will be to have any conflicts referred to the courts. This will add a layer of delay in any case where disputes arise, although in theory at least, with open lines of communication between the two Commissioners, such disputes may be few and far between. Nevertheless, there may be a disadvantage in pushing controversies over the definition of “personal information” directly to the courts which lack the same experience and expertise as the two Commissioners in an increasingly complex data landscape. True, the courts already have the last word when it comes to interpreting the definitions of personal information in either statute. But those interpretations have, to date, been confined in impact to one or the other of the statutes and understood in the context of the particular legislative goals underlying the specific statute at issue. The impact of these changes will interesting to monitor.

Note that for ease of reference the different provisions of the bills/laws discussed here are reproduced at the end of this post.

The Liberal government, which had promised during the last election campaign to reform Canada’s outdated Access to Information Act (ATIA) has tabled its reforms in Bill C-58. First reviews of the bill, by key users of the ATIA such as academics and journalists have been highly critical of the many ways in which the proposed reforms fall short of what was promised.While acknowledging the importance and salience of these critiques, this post will focus on two very specific amendments in this Bill that are most welcome.

Government departments and agencies subject to the ATIA have long been able to refuse to disclose records covered by solicitor-client privilege. This is an important exception. As the Supreme Court of Canada stated in Blood Tribe, “Solicitor-client privilege is fundamental to the proper functioning of our legal system.” (at para9). The court noted that the privilege permits a free flow of legal advice between lawyer and client, and stated that without solicitor-client privilege, “access to justice and the quality of justice in this country would be severely compromised.” (para 9) It is not surprising, therefore that documents covered by solicitor-client privilege would not be disclosable under the ATIA. In the same vein, the right to access one’s personal information under the federal Privacy Act, or the Personal Information Protection and Electronic Documents Act (PIPEDA), is similarly limited – access cannot be had to records containing personal information that are subject to solicitor-client privilege.

While this is understandable, the problem has long been that there has been no proper oversight of assertions of solicitor-client privilege by record-holders. The courts have treated the privilege as so absolute, that only the most explicit statutory language will permit a Commissioner (whether the Information Commissioner or a Privacy Commissioner) to review such documents in order to determine whether the claimed privilege is actually justified. In Blood Tribe, the Supreme Court of Canada found that the rather open-ended language in PIPEDA did not meet the test, and as a result the federal Privacy Commissioner could not review claims of solicitor client privilege in records containing personal information under that statute. Much clearer language was needed.

While the outcome in Blood Tribe is fair enough, a 2016 decision by the Supreme Court of Canada seemed to move from protecting solicitor client privilege to fetishizing it.In Alberta (Information and Privacy Commissioner) v. University of Calgary, the Supreme Court of Canada considered wording in Alberta’s Freedom of Information and Protection of Privacy Act that was quite a bit more explicit than that in PIPEDA, and that appeared quite sufficient to give Alberta’s Commissioner the power to review claims of solicitor-client privilege in government records sought through access to information requests. Yet the majority of the Court determined that Blood Tribe dictated that only the clearest statutory language could derogate from the protection of solicitor-client privilege. They took the position that solicitor-client privilege was no mere privilege of the law of evidence. It arose in circumstances outside the court room, and had the character of “an important civil and legal right and a principle of fundamental justice in Canadian law.” (at para 41) Because of this, the majority ruled that the wording of the statute, which allowed the Commissioner to access records “despite . . . any privilege of the law of evidence” (s. 56(3) was “not sufficiently clear, explicit and unequivocal to evince legislative intent to set aside solicitor-client privilege.” (at para 44) It should be noted that Justice Cromwell wrote a separate opinion in University of Calgary making it clear that he strongly disagreed with the interpretation of the majority, and stating that in his view the language of the statute was perfectly clear and gave the necessary powers to the Commissioner. The majority decision in University of Calgary was so surprising that Ontario’s Information and Privacy Commissioner in his Annual Report released in mid-June 2017, asked the Ontario government to amend very similar language in Ontario’s Freedom of Information and Protection of Privacy Act so as to make it crystal clear that the Ontario Commissioner has the power to review claims of solicitor client privilege in documents being withheld by government departments and agencies.

If passed, Bill C-58 will amend section 36(2) of the ATIA to provide in language that even the most punctilious judge would find hard to ignore, that the Information Commissioner can review records being withheld on the basis of solicitor-client privilege in order to determine whether such privilege is properly claimed. Notably, the bill will also amend the Privacy Act to add similar language giving the Privacy Commissioner the power to review records withheld under claims of solicitor client privilege. Both sets of amendments make it clear that this review does not constitute a waiver of those privileges or of professional secrecy. It is a necessary compromise to ensure a proper balancing of interests. These changes, at least, should be welcome.

Statutory language discussed in the above post:

PIPEDA (interpreted in Blood Tribe and found to be too vague to support review by the Commissioner):

12.1 (1) In the conduct of an investigation of a complaint, the Commissioner may

[. . . ]

(c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible

Access to Information Act (currently):

36 (2) Notwithstanding any other Act of Parliament or any privilege under the law of evidence, the Information Commissioner may, during the investigation of any complaint under this Act, examine any record to which this Act applies that is under the control of a government institution, and no such record may be withheld from the Commissioner on any grounds.

Privacy Act (currently):

34 (2) Notwithstanding any other Act of Parliament or any privilege under the law of evidence, the Privacy Commissioner may, during the investigation of any complaint under this Act, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen’s Privy Council for Canada to which subsection 70(1) applies, and no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds.

Freedom of Information and Protection of Privacy Act (Alberta) (at issue in University of Calgary and found to be insufficient):

56(3) Despite any other enactment or any privilege of the law of evidence, a public body must produce to the Commissioner within 10 days any record or a copy of any record required under subsection (1) or (2).

Ontario’s Freedom of Information and Protection of Privacy Act:

52 (4) In an inquiry, the Commissioner may require to be produced to the Commissioner and may examine any record that is in the custody or under the control of an institution, despite Parts II and III of this Act or any other Act or privilege, and may enter and inspect any premises occupied by an institution for the purposes of the investigation. R.S.O. 1990, c. F.31, s. 52 (4).

Proposed Amendment to the Access to Information Act in Bill C-58:

36 (2) Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, and subject to subsection (2.1), the Information Commissioner may, during the investigation of any complaint under the Part, examine any record to which this Part applies that is under the control of a government institution, and not such record may be withheld from the Commissioner on any grounds.

Proposed Amendment to the Privacy Act in Bill C-58:

34 (2) Despite any other Act of Parliament, any privilege under the law of evidence, solicitor-client privilege or the professional secrecy of advocates and notaries and litigation privilege, and subject to subsection (2.1), the Privacy Commissioner may, during the investigation of any complaint under the Act, examine any information recorded in any form under the control of a government institution, other than a confidence of the Queen’s Privy Council for Canada to which subsection 70(1) applies, and no information that the Commissioner may examine under this subsection may be withheld from the Commissioner on any grounds.

A major investigative report by Brigitte Bureau of Radio Canada (CBC English language version here) has revealed what has long been suspected – that Canadian police forces are using IMSI Catchers to harvest substantial amounts of telecommunications data with uncertain oversight and no transparency. The issue is one that should trouble all Canadians, reminding us not to become complacent about the health of our free and democratic society.

The cell phones we carry with us are in constant quiet interaction with nearby cellphone towers – ensuring a quick connection when we need one. As part of this process, our phones communicate their unique identifiers to these towers. An IMSI catcher (also known as a Stingray) will simulate a cell phone tower and will encourage all cell phones in the area to communicate with it. As it does so, it harvests and stores these identifiers. In this way, data is collected about phones in the vicinity, which can, of course, be ultimately linked to specific individuals. Although a police force may deploy an IMSI catcher in the context of a specific investigation with a target suspect or suspects in mind, the harvesting of data is indiscriminate and will affect all individuals with cell phones in the vicinity. In cities, this can mean thousands of individuals at a time.

While it would be foolish to dismiss the importance of the role played by law enforcement and national security in our societies, it would be equally foolish to passively accept surveillance without the safeguards of oversight, transparency and accountability. The Criminal Code contains an entire section devoted to the rules that govern how law enforcement officials may carry out investigations, including detailed rules governing warrants for the interception of telecommunications, production orders for data, tracking warrants (including tracking of cell phones), and general warrants. These provisions require police to go before a judge or a justice of the peace to make their case for the surveillance, and to have the boundaries of the search established. This authorization procedure acts as a safeguard to ensure a proper balance between the rights of individuals and the collective interest, and to ensure that surveillance does not become routine, ubiquitous, and unrestrained. Unfortunately, there remain question marks around the application of these provisions to technologies such as IMSI catchers: some question whether a warrant is need at all (see discussion below); others argue that the technology merits a lower threshold for obtaining a warrant. In addition, it should be noted that there is no guarantee that any warrant obtained will specify what must happen to the data that is collected about individuals who are not the target of an investigation. In other words, there are no guarantees that such data will be destroyed once it is found not relevant to the particular investigation for which the warrant was obtained.

It has long been suspected that police forces in Canada have been using IMSI catchers in their investigations. Either because such use was being carried out without warrants, or because the warrants remained sealed from public view, this usage has been invisible to ordinary Canadians. It is also quite possible that much of this activity has taken place with no oversight at all. In fact, police forces have been evasive in responding to questions about IMSI catcher use. What the Radio Canada reports reveal is that IMSI catchers are in fact being used in Canada, and that such use is entirely non-transparent. We should be extremely concerned.

Arguments for obscurity around law enforcement use of IMSI catchers have two main threads. The first is that such devices do not impact privacy and therefore warrant neither transparency nor oversight measures. This is nonsense. The IMSI catchers are used in order to detect the location and movement of specific individuals. Beyond this, they capture a vast amount of data that can be used to detect the location and movement of anyone in the area of the IMSI catcher. This has privacy implications not just for those who are the targets of the police investigation but for all who are caught up in the dragnet. Without transparency and oversight no one will know what data about them has been collected by police, to what uses this data is put, or how long it will be retained. The second thread is the assertion that if police disclose what they are doing, the bad guys will stay one step ahead of them. However, it is fairly clear that those engaged in organized criminal activity are well aware of the existence and potential use of IMSI catchers. Transparency does not have to mean making public announcements that an IMSI catcher is currently in use in a particular location. Arguments that transparency will undermine investigations are spurious and should not be used to justify extensive covert use of surveillance technologies by police that impact on tens of thousands of ordinary citizens.

In August 2016, CIPPIC, the Munk School of Global Affairs and the Telecom Transparency Project issued a report (Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada) on suspected but unconfirmed IMSI catcher use in Canada. The report provides a detailed overview of the technology, and examines how the use of IMSI catchers in other countries – including the United States – has been made more transparent and accountable. It is interesting to note that the growing body of law in the US that regulates IMSI catcher use evolved out of a similar cloud of deliberate evasion and obscurity that was brought to public attention by the activities of investigative journalists.

After reviewing the measures put in place in other jurisdictions to provide a legal framework for the use of IMSI catchers, the authors of Gone Opaque highlighted a number of legal safeguards that should be considered by Canadian policy makers. In the first place, the use of IMSI catchers should be subject to judicial oversight through the warrant provisions of the Criminal Code, and the threshold should be set to require police to demonstrate that they have reasonable and probably grounds to believe that an offence has or will be committed, as opposed to the much lower threshold of a “reasonable suspicion”. There should also be transparency mechanisms in place which can include statistical reporting on the incidence and scope of use, as well as the provision of some form of notification to all individuals who have been subject to IMSI catcher surveillance. Gone Opaque also discusses imposing proportionality measures such as limiting the use of IMSI catchers only to serious crimes or where other investigatory measures are not likely to be effective. There should also be limits placed on the scope of data collection, as well as on the retention and re-use of data – particularly data that is not related to the crime under investigation.

There is reason to be concerned that the covert use of IMSI catchers circumvents the safeguards put in place by Parliament in the Criminal Code. The provisions of the Criminal Code that deal with warrants and production orders in the context of data and telecommunications are far from perfect, but they do attempt to provide some measure of transparency and oversight when it comes to the exercise of state surveillance and tracking powers. To the extent that IMSI catchers are used in order to circumvent the Criminal Code procedures, and under the unjustifiable claim that they do not impact on privacy rights, Canadians should be outraged. Canadians should also demand much more when it comes to transparency and accountability around the warranted use of technologies that capture large quantities of personal information of ordinary individuals engaged in their daily activities.

The furore in Canada over the cancellation of the long-form census and the subsequent elation over its reinstatement in 2016 illustrates that – well – that Canadians get excited about odd things, such as being counted for statistical purposes. Of course, not all Canadians are enthusiastic about the census. Each census period a few objectors refuse to complete the long-form census, and some are even prosecuted for their refusal. While some opposition has been based on the past involvement of defense contractor Lockheed Martin in conducting the census (this involvement apparently ended for the 2016 census), other objections have been linked to privacy concerns. Perhaps because of the extensive measures in place to protect census privacy, these concerns have gained little traction either publicly or in the courts, although they did provide the former conservative government with an excuse to cancel the long-from census.

A recent Federal Court decision considers issues of privacy and the census in a somewhat different context. In O’Grady v. Canada (Attorney General), the objection was not to the census itself, but rather to the secondary use of census data for medical research. The applicant, Kelly O’Grady, objected to an agreement that had been entered into between Statistics Canada and McGill University’s Faculty of Medicine in 2011. This agreement, like others of its kind, provided the legal framework by which medical researchers could use Stats Canada data in population health research. The McGill project seeks to assess infant mortality and newborn health in Canada by linking perinatal outcomes with risk factors related to socioeconomic status, ethno-cultural background, and environmental conditions. The researchers needed to link a sample of births from the national birth record database with data from the 1996 and 2006 national censuses.

The collection and maintenance of census data is governed by the Statistics Act, which also establishes Statistics Canada. Stats Canada does not simply hand over data of this kind to researchers. Under the terms of the agreement with McGill, Stats Canada would make the linkages between the records, and then would provide researchers with access only to de-identified information. Further, only those researchers who were either employees or deemed employees of Stats Canada would have access to the data. Under the Statistics Act, “deemed employees” are individuals who are brought under the umbrella of the Act, who must swear oaths of office that affirm that they will comply with the Act and maintain confidentiality, and who are subject to penalties under the Act for any breaches of their obligations.

The applicant objected to the use of the census data under the terms of the Agreement. She argued that it violated of the Statistics Act and the federal Privacy Act. She argued that census data could only be shared with express consent of those who had shared their personal information, and this had not been obtained. Further, she maintained that under the Privacy Act government institutions can only share information without consent in narrowly limited circumstances, and only where the disclosure is consistent with the purposes for which the information had been collected. She argued that the census information had not been collected for medical or public health research, and therefore could not be disclosed for these purposes.

The applicant had complained to the Office of the Privacy Commissioner in 2012, arguing that her personal information had been improperly used in the study. In a 2014 decision, the Privacy Commissioner agreed that the applicant’s census data constituted her personal information, and also found that census information was being used in the study for purposes that went beyond those for which it was collected. However, the Commissioner had noted that the Statistics Act expressly permitted Stats Canada to use its data in this way. Perhaps more importantly, the Commissioner found that the applicant’s own personal information had not been used in the study. The Applicant had given birth within a period that would have been captured by the study, but she did so in Ontario, and the Ontario data had been excluded from the study because of concerns regarding its quality. The Commissioner concluded that the applicant’s complaint was not well-founded.

The fact that the applicant’s personal information had been excluded from the study was an important factor. The Federal Court found that the exclusion of her data meant that she had not been – nor could she ever be – personally affected by the study, and ruled that she did not have standing to bring this application. Further, Justice Russell noted that “[t]he issues she raises and argues can only really be decided on a set of facts that includes an applicant or applicants who were directly affected, or who may be directly affected by the Study when it is eventually released” (at para 52). He noted that there was, as yet, simply no indication that any personal information had been or would be improperly disclosed as a result of the study. He also observed that there was “no indication that the Applicant’s position is anything more than her own personal position, born of her academic interests and her social activism” (at para 52).

Despite ruling that the applicant had no standing in the matter, Justice Russell nevertheless considered the merits of the application. He found that it was clear that Stats Canada had not disclosed any personal information – whether of the applicant or any other person. Only employees and deemed employees of Stats Canada had access to the raw data for the purposes of creating the data linkages. The linked data was accessible only to employees or deemed employees of Stats Canada. Other members of the McGill research team only saw non-confidential aggregate data. Justice Russell noted that the applicant had provided no evidence to show how the aggregate data could be linked to specific individuals. Although the applicant had argued that postal code data was going to be provided to the researchers in order to enable them to assess environmental factors, Justice Russell ruled that the applicant’s claim that the postal code data could be used to re-identify individuals was nothing more than an assertion. Further, he noted that there was no evidence that any postal code data had been revealed to anyone who was not an employee or deemed employee of Stats Canada.

Justice Russell also considered the argument that the disclosure of the data violated the Privacy Act because it was not for a purpose for which it had been collected. He agreed that the census data was personal information. However, he found that while the specific purpose of using the data for this study was not formed at the time of its collection during the 1996 or 2006 censuses, the purpose of the study “is to compile and analyse statistics related to the health and welfare of Canadians”, and this was a consistent with both the purpose of the census and the mandate of Stats Canada. There was therefore no inconsistency with the terms of the Privacy Act.

Although he dismissed the application, Justice Russell cautioned that this was primarily because it both involved an applicant with no standing and was premature. It was premature in the sense that it was too early to know if any personal information might be improperly disclosed. He stated that his decision “should not prevent anyone whose personal information is inappropriately used or disclosed from bringing the matter before the Court in the future” (at para 86). The bottom line, therefore, is that individuals whose interests are directly affected by inappropriate actions by Stats Canada or by researchers will have recourse to the courts. However, there is little room to raise broader privacy arguments about the use in principle of Stats Canada data in appropriate research.

Note: The following are my speaking notes for my appearance on February 23, 2026 before the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI). ETHI is currently engaged in a review of PIPEDA. My colleague Dr. Florian Martin-Bariteau also appeared before the same committee. His remarks are found here.

Thank you for the invitation to meet with you today and to contribute to your study of the Personal Information Protection and Electronic Documents Act. I am a professor at the University of Ottawa, Faculty of Law, where I hold the Canada Research Chair in Information Law. I am appearing in my personal capacity.

We are facing a crisis of legitimacy when it comes to personal data protection in Canada. Every day there are new stories about data hacks and breaches, and about the surreptitious collection of personal information by devices in our homes and on our persons that are linked to the Internet of Things. There are stories about how big data profiling impacts the ability of individuals to get health insurance, obtain credit or find employment. There are also concerns about the extent to which state authorities access our personal information in the hands of private sector companies. PIPEDA, as it currently stands, is inadequate to meet these challenges

My comments are organized around the theme of transparency. Transparency is fundamentally important to data protection and it has always played an important role under PIPEDA. At a fundamental level, transparency means openness and accessibility. In the data protection context it means requiring organizations to be transparent about the collection, use and disclosure of personal information; and it means the Commissioner must be transparent about his oversight functions under the Act. I will also argue that it means that state actors (including law enforcement and national security organizations) must be more transparent about their access to and use of the vast stores of personal information in the hands of private sector organizations.

Under PIPEDA, transparency is at the heart of the consent-based data protection scheme. Transparency is central to the requirement for companies to make their privacy policies available to consumers, and to obtain consumer consent to collection, use or disclosure of personal information. Yet this type of transparency has come under significant pressure and has been substantially undermined by technological change on the one hand, and by piecemeal legislative amendment on the other.

The volume of information that is collected through our digital, mobile and online interactions is enormous, and its actual and potential uses are limitless. The Internet of Things means that more and more, the devices we have on our person and in our homes are collecting and transmitting information. They may even do so without our awareness, and often on a continuous basis. The result is that there are fewer clear and well-defined points or moments at which data collection takes place, making it difficult to say that notice has been provided and consent obtained in any meaningful way. In addition, the number of daily interactions and activities that involve data collection have multiplied beyond the point at which we are capable of reading and assessing each individual privacy policy. And, even if we did have the time, privacy policies are often so long, complex, and vague that reading them does not provide much of an idea of what is being collected and shared, with or by whom, or for what purposes.

In this context consent has become a joke, although unfortunately the joke is largely on the consumer. The only parties capable of saying that our current consent-based model still works are those that benefit from consumer resignation in the face of this ubiquitous data harvesting.

The Privacy Commissioner’s recent consultation process on consent identifies a number of possible strategies to address the failure of the current system. There is no quick or easy fix – no slight changing of wording that will address the problems around consent. This means that on the one hand, there need to be major changes in how organizations achieve meaningful transparency about their data collection, use and disclosure practices. There must also be a new approach to compliance that gives considerably more oversight and enforcement powers to the Commissioner. The two changes are inextricably linked. The broader public protection mandate of the Commissioner requires that he have necessary powers to take action in the public interest. The technological context in which we now find ourselves is so profoundly different from what it was when this legislation was enacted in 2001 that to talk of only minor adjustments to the legislation ignores the transformative impacts of big data and the Internet of Things.

A major reworking of PIPEDA may in any event be well be overdue, and it might have important benefits that go beyond addressing the problems with consent. I note that if one was asked to draft a statute as a performance art piece that evokes the problems with incomprehensible, convoluted and contorted privacy policies and their effective lack of transparency, then PIPEDA would be that statute. As unpopular as it might seem to suggest that it is time to redraft the legislation so that it no longer reads like the worst of all privacy policies, this is one thing that the committee should consider.

I make this recommendation in a context in which all those who collect, use or disclose personal information in the course of commercial activity – including a vast number of small businesses with limited access to experienced legal counsel – are expected to comply with the statute. In addition, the public ideally should have a fighting chance of reading this statute and understanding what it means in terms of the protection of their personal information and their rights of recourse. As it is currently drafted PIPEDA is a convoluted mishmash in which the normative principles are not found in the law itself, but are rather tacked on in a Schedule. To make matters worse, the meaning of some of the words in the Schedule, as well as the principles contained therein are modified by the statute so that it is not possible to fully understand rules and exceptions without engaging in a complex connect-the-dots exercise. After a series of piecemeal amendments, PIPEDA now consists in large part of a growing list of exceptions to the rules around collection, use or disclosure without consent. While the OPC has worked hard to make the legal principles in PIPEDA accessible to businesses and to individuals, the law itself is not accessible In a recent case involving an unrepresented applicant, Justice Roy of the Federal Court expressed the opinion that for a party to “misunderstand the scope of the Act is hardly surprising.”

I have already mentioned the piecemeal amendments to PIPEDA over the years as well as concerns over transparency. In this respect it is important to note that the statute has been amended so as to increase the number of exceptions to the consent that would otherwise be required for the collection, use or disclosure of personal information. For example, paragraphs 7(3)(d.1) and (d.2) were added in 2015, and permit organizations to share personal information between themselves for the purposes of investigating breaches of an agreement or actual or anticipated contraventions of the laws of Canada or a province, or to detect or supress fraud. These are important objectives, but I note that no transparency requirements were created in relation to these rather significant powers to share personal information without knowledge or consent. In particular, there is no requirement to notify the Commissioner of such sharing. The scope of these exceptions creates a significant transparency gap that undermines personal information protection. This should be fixed.

PIPEDA also contains exceptions that allow organizations to share personal information with government actors for law enforcement or national security purposes without notice or consent of the individual. These exceptions also lack transparency safeguards. Given the huge volume of highly detailed personal information, including location information that is now collected by private sector organizations, the lack of mandatory transparency requirements is a glaring privacy problem. The Department of Industry, Science and Economic Development has created a set of voluntary transparency guidelines for organizations that choose to disclose the number of requests they receive and how they deal with them.It is time for there to be mandatory transparency obligations around such disclosures, whether it be public reporting or reporting to the Commissioner, or a combination of both. It should also be by both public and private sector actors.

Another major change that is needed to enable PIPEDA to meet the contemporary data protection challenges relates to the powers of the Commissioner. When PIPEDA was enacted in 2001 it represented a fundamental change in how companies were to go about collecting, using and disclosing personal information. This major change was made with great delicacy; PIPEDA reflected an ombuds model which allowed for a light touch with an emphasis on facilitating and cajoling compliance rather than imposing and enforcing it. Sixteen years later and with exabytes of personal data under the proverbial bridge, it is past time for the Commissioner to be given a new set of tools in order to ensure an adequate level of protection for personal information in Canada.

First, the Commissioner should have the authority to impose fines on organizations in circumstances where there has been substantial or systemic non-compliance with privacy obligations. Properly calibrated, such fines can have an important deterrent effect, which is currently absent in PIPEDA. They also represent transparent moments of accountability that are important in maintaining public confidence in the data protection regime.

The toolbox should also include the power for the Commissioner to issue binding orders.I am sure that you are well aware that the Commissioners in Quebec, Alberta and British Columbia already have such powers. As it stands, the only route under PIPEDA to a binding order runs through the Federal Court, and then only after a complaint has passed through the Commissioner’s internal process. This is an overly long and complex route to an enforceable order, and it requires an investment of time and resources that places an unfair burden on individuals.

I note as well that PIPEDA currently does not provide any guidance as to damage awards. The Federal Court has been extremely conservative in damage awards for breaches of PIPEDA, and the amounts awarded are unlikely to have any deterrent effect other than to deter individuals who struggle to defend their personal privacy. Some attention should be paid to establishing parameters for non-pecuniary damages under PIPEDA. At the very least, these will assist unrepresented litigants in understanding the limits of any recourse available to them.

The Federal Court of Canada has ordered a Romanian company and its sole proprietor to cease publishing online any Canadian court or tribunal decisions containing personal information. It has also awarded damages against the company’s owner. The decision flows from an application made pursuant to s. 14 of the Personal Information Protection and Electronic Documents Act(PIPEDA). The applicant had complained to the Privacy Commissioner of Canada regarding the activities of the defendant and his website Globe24h.com. The Commissioner ruled the complaint well-founded (my comment on this finding is here). However, since the Commissioner has no power to make binding orders or to award damages, the applicant pursued the matter in court.(Note that the lack of order-making powers is considered by many to be a weakness of PIPEDA, and the Commissioner has suggested to Parliament that it might be time for greater enforcement powers.)

Globe24h.com is a Romania-based website operated by the respondent Radulescu. The site re-publishes public documents from a number of jurisdictions, including Canada. The Canadian content is scraped from CanLII and from court and tribunal websites. This scraping is contrary to the terms of use of those sites. The Canadian court websites and CanLII also prevent the indexing of their websites by search engines; this means that a search for an individual by name will not turn up court or tribunal decisions in which that individual is named. This practice is meant to balance the privacy of individuals with the public interest in having broad access to court and tribunal decisions. Such decisions may contain considerable amounts of personal information as they may relate to any kind of legal dispute including family law matters, employment-related disputes, discrimination complaints, immigration proceedings, bankruptcy cases, challenges to decisions on pensions or employment insurance, criminal matters, disputes between neighbors, and so on. In contrast, the Globe24h.com website is indexed by search engines; as a result, the balance attempted to be struck by courts and tribunals in Canada is substantially undermined.

The applicant in this case was one of many individuals who had complained to the Office of the Privacy Commissioner (OPC) after finding that a web search for their names returned results containing personal information from court decisions. The applicant, like many others, had sought to have his personal information removed from the Globe24h website. However, the “free removal” option offered by the site could take half a year or more to process. The alternative was to pay to have the content removed. Those who had opted to pay for removal found that they might have to pay again and again if the same information was reproduced in more than one document or in multiple versions of the decision hosted on the Globe24h web site.

The first issue considered by the Federal Court was whether PIPEDA could apply extraterritorially to Globe24h.com. In general, a country’s laws are not meant to apply outside its boundaries. Although the Federal Court referred to the issue as one of extraterritorial application of laws, it is more akin to what my co-authors and I have called extended territoriality. In other words, PIPEDA will apply to activities carried out in Canada and with impacts in Canada – even though the actors may be located outside of Canada. The internet makes such situations much more common. In this case, Radulescu engaged in scraping data from websites based in Canada; the information he collected included personal information of Canadians. He then, through his company, charged individuals fees to have their personal information removed from his website. The Court found that in these circumstances, PIPEDA would apply.

It was clear that the respondent had collected, used and disclosed the personal information of the applicant without his consent. Although Radulescu did not appear before the Federal Court, he had interacted with the OPC during the course of the investigation of the complaint against Globe24h.In that context, he had argued that he was entitled to benefit from the exception in PIPEDA which permitted the collection, use and disclosure of personal information without consent where it is for journalistic purposes. There is little case law that addresses head-on the scope of the “journalistic purposes” exception under PIPEDA. Justice Mosely found that the criteria proposed by the Canadian Association of Journalists, and supported by the OPC, provide a “reasonable framework” to define journalistic purposes:

. . . only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.” (at para 68)

Justice Mosley found that “journalistic purposes” required something more than making court decisions available for free over the internet without any value-added content. He also noted that the statutory exception applies only where the collection, use or disclosure of personal information is for journalistic purposes and for no otherpurpose. Here, he found that the respondent had other purposes – namely to profit from charging people to remove their personal information from the website.

The respondent had also argued that he was entitled to benefit from the exception to the consent requirement because the information he collected, used and disclosed was ‘publicly available’. This exception is contained in PIPEDA and in regulations pertaining to publicly available information. While court and tribunal decisions fall within the definition of publicly available information, the exception to the consent requirement is only available where the collection, use or disclosure of the information relates “directly to the purpose for which the information appears in the record or document.” (Regs, s. 1(d)). In this case, Justice Mosley found that the respondent’s purpose did not relate directly to the reasons why the personal information was included in the decisions. Specifically, the inclusion of personal information in court decisions is to further the goals of the open courts principle, whereas, in the words of Justice Mosley, the respondent’s purpose “serves to undermine the administration of justice by potentially causing harm to participants in the justice system.” (at para 78)

PIPEDA contains a requirement that limits data collection, use or disclosure by an organization to only where it is “for purposes that a reasonable person would consider are appropriate in the circumstances.” (s. 5(3)). Justice Mosely noted that the Canadian Judicial Council’s policies on the online publication of court decisions strongly discourages the indexing of such decisions by search engines in order to strike a balance between open courts and privacy. This led Justice Mosely to conclude that the respondent did not have a bona fide business interest in making court decisions available in a way that permitted their indexing by search engines. Therefore the collection, use and disclosure of this information was not for purposes that a reasonable person would consider to be appropriate.

Having found that the respondent had breached PIPEDA, Justice Mosley next considered the issue of remedies. The situation was complicated in this case by the fact that the respondent is based in Romania. This raised issues of whether the court should make orders that would have an impact in Romania, as well as the issue of enforceability. The applicant was also pursuing separate remedies in Romania, and Justice Mosley noted that a court order from Canada might assist in these objectives. The OPC argued that it would be appropriate for the Court to make an order with a broader impact than just the applicant’s particular circumstances. The number of other complaints received by both CanLII and the OPC about personal information contained in decisions hosted on the Romanian site were indicative of a systemic issue. Justice Mosley was also influenced by the OPC’s argument that a broad order could be used by the applicant and by others to persuade search engines to de-index the pages of the respondent’s websites. Accepting that PIPEDA enabled him to address systemic and not just individual problems, Justice Mosely issued a declaration that the respondent had violated PIPEDA, and ordered that he remove all Canadian court and tribunal decisions that contain personal information. He also ordered that the respondent take steps to ensure that these decisions are removed from search engine caches. The respondent was also ordered to refrain from any further copying or publishing of Canadian court or tribunal decisions containing personal information in a manner that would violate PIPEDA.

The applicant also sought damages for breach of PIPEDA. Damages awards have been a weak spot under PIPEDA. The Federal Court has been extremely conservative in awarding damages; this tendency has not been helped by the fact that the overwhelming majority of applications have been brought by self-represented litigants. In this case, Justice Mosley accepted that the breach was egregious, and noted the practice of the respondent to profit from exploiting the personal information of Canadians. He also noted that the level of disclosure of personal information was extensive because of the bulk downloading and publishing of court decisions. Finally, he noted that the respondent “has also acted in bad faith in failing to take responsibility and rectify the problem” (at para 103). In the circumstances, one might have expected an order of damages far in excess of the modest $5000 ultimately ordered by Justice Mosely. This amount seems disproportionate to the nature of the breach, as well as to the impact it had on the applicant and the extensive steps he has had to take to try to address the problem. Even though recovering any amount from the respondent might be no more than a pipe dream in the circumstances, the amount set in this case would seem to lack any deterrent effect and is hardly proportionate to the nature of the breach.

Overall, this decision is an important one. It confirms the application of PIPEDA to the collection, use or disclosure of personal information of Canadians that is linked to Canada, even where the respondent is located in another country. It also provides clarification of the exceptions to consent for journalistic purposes and for publicly available information. In this regard, the court’s careful reading of these exceptions prevents them from being used as a broad licence to exploit personal information. The court’s reasoning with respect to its declaration and its order is also useful, particularly as it applies to the sanctioning of offshore activities. The only weakness is in the award of damages; this is a recurring issue with PIPEDA and one that may take legislative intervention to address.